Merge "Allow keystone to configure secure RBAC options"

2022-01-12 02:57:14 +00:00 · 2022-01-12 02:57:14 +00:00 · 1f871217c2
commit 1f871217c2
parent 70aaf86eef b49da72366
2 changed files with 13 additions and 0 deletions
--- a/deployment/keystone/keystone-container-puppet.yaml
+++ b/deployment/keystone/keystone-container-puppet.yaml
@ -626,6 +626,10 @@ outputs:
              keystone::using_domain_config: True
              tripleo::profile::base::keystone::ldap_backends_config:
                get_param: KeystoneLDAPBackendConfigs
+          - if:
+            - {get_param: EnforceSecureRbac}
+            - keystone::policy::enforce_scope: true
+              keystone::policy::enforce_new_defaults: true
          - if:
            - change_password_upon_first_use_set
            - keystone::security_compliance::change_password_upon_first_use: {get_param: KeystoneChangePasswordUponFirstUse}
--- a/releasenotes/notes/enable_secure_rbac_for_keystone-62685484ef589726.yaml
+++ b/releasenotes/notes/enable_secure_rbac_for_keystone-62685484ef589726.yaml
@ -0,0 +1,9 @@
+---
+features:
+  - |
+    Keystone can now be configured to support secure RBAC `personas
+    <https://docs.openstack.org/keystone/latest/admin/service-api-protection.html#roles-definitions>`_
+    with the `EnforceSecureRbac` setting. Note that deployments with mixed permission
+    models will have unexpected side-effects. Setting this option won't have
+    meaningful effect until all services in your deployment support secure RBAC
+    personas.